# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR The FreeBSD Project
# This file is distributed under the same license as the FreeBSD Documentation package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: FreeBSD Documentation VERSION\n"
"POT-Creation-Date: 2023-04-20 20:56-0300\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: YAML Front Matter: description
#: documentation/content/en/books/handbook/jails/_index.adoc:1
#, no-wrap
msgid "Jails improve on the concept of the traditional chroot environment in several ways"
msgstr ""

#. type: YAML Front Matter: part
#: documentation/content/en/books/handbook/jails/_index.adoc:1
#, no-wrap
msgid "Part III. System Administration"
msgstr ""

#. type: YAML Front Matter: title
#: documentation/content/en/books/handbook/jails/_index.adoc:1
#, no-wrap
msgid "Chapter 16. Jails"
msgstr ""

#. type: Title =
#: documentation/content/en/books/handbook/jails/_index.adoc:14
#, no-wrap
msgid "Jails"
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/jails/_index.adoc:52
#, no-wrap
msgid "Synopsis"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:58
msgid ""
"Since system administration is a difficult task, many tools have been "
"developed to make life easier for the administrator.  These tools often "
"enhance the way systems are installed, configured, and maintained.  One of "
"the tools which can be used to enhance the security of a FreeBSD system is "
"_jails_.  Jails have been available since FreeBSD 4.X and continue to be "
"enhanced in their usefulness, performance, reliability, and security."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:66
msgid ""
"Jails build upon the man:chroot[2] concept, which is used to change the root "
"directory of a set of processes.  This creates a safe environment, separate "
"from the rest of the system.  Processes created in the chrooted environment "
"can not access files or resources outside of it.  For that reason, "
"compromising a service running in a chrooted environment should not allow "
"the attacker to compromise the entire system.  However, a chroot has several "
"limitations.  It is suited to easy tasks which do not require much "
"flexibility or complex, advanced features.  Over time, many ways have been "
"found to escape from a chrooted environment, making it a less than ideal "
"solution for securing services."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:73
msgid ""
"Jails improve on the concept of the traditional chroot environment in "
"several ways.  In a traditional chroot environment, processes are only "
"limited in the part of the file system they can access.  The rest of the "
"system resources, system users, running processes, and the networking "
"subsystem are shared by the chrooted processes and the processes of the host "
"system.  Jails expand this model by virtualizing access to the file system, "
"the set of users, and the networking subsystem.  More fine-grained controls "
"are available for tuning the access of a jailed environment.  Jails can be "
"considered as a type of operating system-level virtualization."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:75
msgid "A jail is characterized by four elements:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:77
msgid ""
"A directory subtree: the starting point from which a jail is entered. Once "
"inside the jail, a process is not permitted to escape outside of this "
"subtree."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:78
msgid "A hostname: which will be used by the jail."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:79
msgid ""
"An IP address: which is assigned to the jail. The IP address of a jail is "
"often an alias address for an existing network interface."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:80
msgid ""
"A command: the path name of an executable to run inside the jail. The path "
"is relative to the root directory of the jail environment."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:83
msgid ""
"Jails have their own set of users and their own `root` account which are "
"limited to the jail environment.  The `root` account of a jail is not "
"allowed to perform operations to the system outside of the associated jail "
"environment."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:86
msgid ""
"This chapter provides an overview of the terminology and commands for "
"managing FreeBSD jails.  Jails are a powerful tool for both system "
"administrators, and advanced users."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:88
msgid "After reading this chapter, you will know:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:90
msgid "What a jail is and what purpose it may serve in FreeBSD installations."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:91
msgid "How to build, start, and stop a jail."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:92
msgid ""
"The basics of jail administration, both from inside and outside the jail."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:97
msgid ""
"Jails are a powerful tool, but they are not a security panacea.  While it is "
"not possible for a jailed process to break out on its own, there are several "
"ways in which an unprivileged user outside the jail can cooperate with a "
"privileged user inside the jail to obtain elevated privileges in the host "
"environment."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:100
msgid ""
"Most of these attacks can be mitigated by ensuring that the jail root is not "
"accessible to unprivileged users in the host environment.  As a general "
"rule, untrusted users with privileged access to a jail should not be given "
"access to the host environment."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/jails/_index.adoc:103
#, no-wrap
msgid "Terms Related to Jails"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:106
msgid ""
"To facilitate better understanding of parts of the FreeBSD system related to "
"jails, their internals and the way they interact with the rest of FreeBSD, "
"the following terms are used further in this chapter:"
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/jails/_index.adoc:107
#, no-wrap
msgid "man:chroot[8] (command)"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:109
msgid ""
"Utility, which uses man:chroot[2] FreeBSD system call to change the root "
"directory of a process and all its descendants."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/jails/_index.adoc:110
#, no-wrap
msgid "man:chroot[2] (environment)"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:113
msgid ""
"The environment of processes running in a \"chroot\".  This includes "
"resources such as the part of the file system which is visible, user and "
"group IDs which are available, network interfaces and other IPC mechanisms, "
"etc."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/jails/_index.adoc:114
#, no-wrap
msgid "man:jail[8] (command)"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:116
msgid ""
"The system administration utility which allows launching of processes within "
"a jail environment."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/jails/_index.adoc:117
#, no-wrap
msgid "host (system, process, user, etc.)"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:121
msgid ""
"The controlling system of a jail environment.  The host system has access to "
"all the hardware resources available, and can control processes both outside "
"of and inside a jail environment.  One of the important differences of the "
"host system from a jail is that the limitations which apply to superuser "
"processes inside a jail are not enforced for processes of the host system."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/jails/_index.adoc:122
#, no-wrap
msgid "hosted (system, process, user, etc.)"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:124
msgid ""
"A process, user or other entity, whose access to resources is restricted by "
"a FreeBSD jail."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/jails/_index.adoc:126
#, no-wrap
msgid "Creating and Controlling Jails"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:131
msgid ""
"Some administrators divide jails into the following two types: \"complete\" "
"jails, which resemble a real FreeBSD system, and \"service\" jails, "
"dedicated to one application or service, possibly running with privileges.  "
"This is only a conceptual division and the process of building a jail is not "
"affected by it.  When creating a \"complete\" jail there are two options for "
"the source of the userland: use prebuilt binaries (such as those supplied on "
"an install media) or build from source."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:132
#, no-wrap
msgid "Installing a Jail"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/jails/_index.adoc:135
#, no-wrap
msgid "To install a Jail from the Internet"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:139
msgid ""
"The man:bsdinstall[8] tool can be used to fetch and install the binaries "
"needed for a jail.  This will walk through the picking of a mirror, which "
"distributions will be installed into the destination directory, and some "
"basic configuration of the jail:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:143
#, no-wrap
msgid "# bsdinstall jail /here/is/the/jail\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:146
msgid ""
"Once the command is complete, the next step is configuring the host to run "
"the jail."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/jails/_index.adoc:148
#, no-wrap
msgid "To install a Jail from an ISO"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:152
msgid ""
"To install the userland from installation media, first create the root "
"directory for the jail.  This can be done by setting the `DESTDIR` variable "
"to the proper location."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:154
msgid "Start a shell and define `DESTDIR`:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:159
#, no-wrap
msgid ""
"# sh\n"
"# export DESTDIR=/here/is/the/jail\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:162
msgid ""
"Mount the install media as covered in man:mdconfig[8] when using the install "
"ISO:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:167
#, no-wrap
msgid ""
"# mount -t cd9660 /dev/`mdconfig -f cdimage.iso` /mnt\n"
"# cd /mnt/usr/freebsd-dist/\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:171
msgid ""
"Extract the binaries from the tarballs on the install media into the "
"declared destination.  Minimally, only the base set needs to be extracted, "
"but a complete install can be performed when preferred."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:173
msgid "To install just the base system:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:177
#, no-wrap
msgid "# tar -xf base.txz -C $DESTDIR\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:180
msgid "To install everything except the kernel:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:184
#, no-wrap
msgid "# for set in base ports; do tar -xf $set.txz -C $DESTDIR ; done\n"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/jails/_index.adoc:187
#, no-wrap
msgid "To build and install a Jail from source"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:190
msgid "The man:jail[8] manual page explains the procedure for building a jail:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:200
#, no-wrap
msgid ""
"# setenv D /here/is/the/jail\n"
"# mkdir -p $D      <.>\n"
"# cd /usr/src\n"
"# make buildworld  <.>\n"
"# make installworld DESTDIR=$D  <.>\n"
"# make distribution DESTDIR=$D  <.>\n"
"# mount -t devfs devfs $D/dev   <.>\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:203
msgid ""
"Selecting a location for a jail is the best starting point. This is where "
"the jail will physically reside within the file system of the jail's host. A "
"good choice can be [.filename]#/usr/jail/jailname#, where _jailname_ is the "
"hostname identifying the jail. Usually, [.filename]#/usr/# has enough space "
"for the jail file system, which for \"complete\" jails is, essentially, a "
"replication of every file present in a default installation of the FreeBSD "
"base system."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:205
msgid ""
"If you have already rebuilt your userland using `make world` or `make "
"buildworld`, you can skip this step and install your existing userland into "
"the new jail."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:207
msgid ""
"This command will populate the directory subtree chosen as jail's physical "
"location on the file system with the necessary binaries, libraries, manual "
"pages and so on."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:208
msgid ""
"The `distribution` target for make installs every needed configuration file. "
"In simple words, it installs every installable file of [.filename]#/usr/src/"
"etc/# to the [.filename]#/etc# directory of the jail environment: [."
"filename]#$D/etc/#."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:210
msgid ""
"Mounting the man:devfs[8] file system inside a jail is not required. On the "
"other hand, any, or almost any application requires access to at least one "
"device, depending on the purpose of the given application. It is very "
"important to control access to devices from inside a jail, as improper "
"settings could permit an attacker to do nasty things in the jail. Control "
"over man:devfs[8] is managed through rulesets which are described in the man:"
"devfs[8] and man:devfs.conf[5] manual pages."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:211
#, no-wrap
msgid "Configuring the Host"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:218
msgid ""
"Once a jail is installed, it can be started by using the man:jail[8] "
"utility.  The man:jail[8] utility takes four mandatory arguments which are "
"described in the <<jails-synopsis>>.  Other arguments may be specified too, "
"e.g., to run the jailed process with the credentials of a specific user.  "
"The `_command_` argument depends on the type of the jail; for a _virtual "
"system_, [.filename]#/etc/rc# is a good choice, since it will replicate the "
"startup sequence of a real FreeBSD system.  For a _service_ jail, it depends "
"on the service or application that will run within the jail."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:220
msgid ""
"Jails are often started at boot time and the FreeBSD [.filename]#rc# "
"mechanism provides an easy way to do this."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:223
msgid "Configure jail parameters in [.filename]#jail.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:234
#, no-wrap
msgid ""
"www {\n"
"    host.hostname = www.example.org;           # Hostname\n"
"    ip4.addr = 192.168.0.10;                   # IP address of the jail\n"
"    path = \"/usr/jail/www\";                    # Path to the jail\n"
"    mount.devfs;                               # Mount devfs inside the jail\n"
"    exec.start = \"/bin/sh /etc/rc\";            # Start command\n"
"    exec.stop = \"/bin/sh /etc/rc.shutdown\";    # Stop command\n"
"}\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:238
msgid "Configure jails to start at boot time in [.filename]#rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:242
#, no-wrap
msgid "jail_enable=\"YES\"   # Set to NO to disable starting of any jails\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:246
msgid ""
"The default startup of jails configured in man:jail.conf[5], will run the [."
"filename]#/etc/rc# script of the jail, which assumes the jail is a complete "
"virtual system.  For service jails, the default startup command of the jail "
"should be changed, by setting the `exec.start` option appropriately."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:250
msgid ""
"For a full list of available options, please see the man:jail.conf[5] manual "
"page."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:253
msgid ""
"man:service[8] can be used to start or stop a jail by hand, if an entry for "
"it exists in [.filename]#jail.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:258
#, no-wrap
msgid ""
"# service jail start www\n"
"# service jail stop www\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:262
msgid ""
"Jails can be shut down with man:jexec[8].  Use man:jls[8] to identify the "
"jail's `JID`, then use man:jexec[8] to run the shutdown script in that jail."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:269
#, no-wrap
msgid ""
"# jls\n"
"   JID  IP Address      Hostname                      Path\n"
"     3  192.168.0.10    www                           /usr/jail/www\n"
"# jexec 3 /etc/rc.shutdown\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:272
msgid ""
"More information about this can be found in the man:jail[8] manual page."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/jails/_index.adoc:274
#, no-wrap
msgid "Fine Tuning and Administration"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:278
msgid ""
"There are several options which can be set for any jail, and various ways of "
"combining a host FreeBSD system with jails, to produce higher level "
"applications.  This section presents:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:280
msgid ""
"Some of the options available for tuning the behavior and security "
"restrictions implemented by a jail installation."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:281
msgid ""
"Some of the high-level applications for jail management, which are available "
"through the FreeBSD Ports Collection, and can be used to implement overall "
"jail-based solutions."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:283
#, no-wrap
msgid "System Tools for Jail Tuning in FreeBSD"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:289
msgid ""
"Fine tuning of a jail's configuration is mostly done by setting man:"
"sysctl[8] variables.  A special subtree of sysctl exists as a basis for "
"organizing all the relevant options: the `security.jail.*` hierarchy of "
"FreeBSD kernel options.  Here is a list of the main jail-related sysctls, "
"complete with their default value.  Names should be self-explanatory, but "
"for more information about them, please refer to the man:jail[8] and man:"
"sysctl[8] manual pages."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:291
msgid "`security.jail.set_hostname_allowed: 1`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:292
msgid "`security.jail.socket_unixiproute_only: 1`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:293
msgid "`security.jail.sysvipc_allowed: 0`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:294
msgid "`security.jail.enforce_statfs: 2`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:295
msgid "`security.jail.allow_raw_sockets: 0`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:296
msgid "`security.jail.chflags_allowed: 0`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:297
msgid "`security.jail.jailed: 0`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:302
msgid ""
"These variables can be used by the system administrator of the _host system_ "
"to add or remove some of the limitations imposed by default on the `root` "
"user.  Note that there are some limitations which cannot be removed.  The "
"`root` user is not allowed to mount or unmount file systems from within a "
"man:jail[8].  The `root` inside a jail may not load or unload man:devfs[8] "
"rulesets, set firewall rules, or do many other administrative tasks which "
"require modifications of in-kernel data, such as setting the `securelevel` "
"of the kernel."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:305
msgid ""
"The base system of FreeBSD contains a basic set of tools for viewing "
"information about the active jails, and attaching to a jail to run "
"administrative commands.  The man:jls[8] and man:jexec[8] commands are part "
"of the base FreeBSD system, and can be used to perform the following simple "
"tasks:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:307
msgid ""
"Print a list of active jails and their corresponding jail identifier (JID), "
"IP address, hostname and path."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:308
msgid ""
"Attach to a running jail, from its host system, and run a command inside the "
"jail or perform administrative tasks inside the jail itself. This is "
"especially useful when the `root` user wants to cleanly shut down a jail. "
"The man:jexec[8] utility can also be used to start a shell in a jail to do "
"administration in it; for example:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:312
#, no-wrap
msgid "# jexec 1 tcsh\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:315
#, no-wrap
msgid "High-Level Administrative Tools in the FreeBSD Ports Collection"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:320
msgid ""
"Among the many third-party utilities for jail administration, one of the "
"most complete and useful is package:sysutils/ezjail[].  It is a set of "
"scripts that contribute to man:jail[8] management.  Please refer to <<jails-"
"ezjail,the handbook section on ezjail>> for more information."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:322
#, no-wrap
msgid "Keeping Jails Patched and up to Date"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:327
msgid ""
"Jails should be kept up to date from the host operating system as attempting "
"to patch userland from within the jail may likely fail as the default "
"behavior in FreeBSD is to disallow the use of man:chflags[1] in a jail which "
"prevents the replacement of some files.  It is possible to change this "
"behavior but it is recommended to use man:freebsd-update[8] to maintain "
"jails instead.  Use `-b` to specify the path of the jail to be updated."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:329
msgid ""
"To update the jail to the latest patch release of the version of FreeBSD it "
"is already running, then execute the following commands on the host:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:334
#, no-wrap
msgid ""
"# freebsd-update -b /here/is/the/jail fetch\n"
"# freebsd-update -b /here/is/the/jail install\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:339
msgid ""
"To upgrade the jail to a new major or minor version, first upgrade the host "
"system as described in crossref:cutting-edge[freebsdupdate-"
"upgrade,“Performing Major and Minor Version Upgrades”].  Once the host has "
"been upgraded and rebooted, the jail can then be upgraded.  For example to "
"upgrade from 12.2-RELEASE to 12.3-RELEASE, on the host run:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:346
#, no-wrap
msgid ""
"# freebsd-update -b /here/is/the/jail --currently-running 12.2-RELEASE -r 12.3-RELEASE upgrade\n"
"# freebsd-update -b /here/is/the/jail install\n"
"# service jail restart myjail\n"
"# freebsd-update -b /here/is/the/jail install\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:351
msgid ""
"Then, if it was a major version upgrade, reinstall all installed packages "
"and restart the jail again.  This is required because the ABI version "
"changes when upgrading between major versions of FreeBSD.  From the host:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:356
#, no-wrap
msgid ""
"# pkg -j myjail upgrade -f\n"
"# service jail restart myjail\n"
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/jails/_index.adoc:359
#, no-wrap
msgid "Updating Multiple Jails"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:363
msgid ""
"The management of multiple jails can become problematic because every jail "
"has to be rebuilt from scratch whenever it is upgraded.  This can be time "
"consuming and tedious if a lot of jails are created and manually updated."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:367
msgid ""
"This section demonstrates one method to resolve this issue by safely sharing "
"as much as is possible between jails using read-only man:mount_nullfs[8] "
"mounts, so that updating is simpler.  This makes it more attractive to put "
"single services, such as HTTP, DNS, and SMTP, into individual jails.  "
"Additionally, it provides a simple way to add, remove, and upgrade jails."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:372
msgid ""
"Simpler solutions exist, such as ezjail, which provides an easier method of "
"administering FreeBSD jails but is less versatile than this setup.  ezjail "
"is covered in more detail in <<jails-ezjail>>."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:375
msgid "The goals of the setup described in this section are:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:377
msgid ""
"Create a simple and easy to understand jail structure that does not require "
"running a full installworld on each and every jail."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:378
msgid "Make it easy to add new jails or remove existing ones."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:379
msgid "Make it easy to update or upgrade existing jails."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:380
msgid "Make it possible to run a customized FreeBSD branch."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:381
msgid ""
"Be paranoid about security, reducing as much as possible the possibility of "
"compromise."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:382
msgid "Save space and inodes, as much as possible."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:386
msgid ""
"This design relies on a single, read-only master template which is mounted "
"into each jail and one read-write device per jail.  A device can be a "
"separate physical disc, a partition, or a vnode backed memory device.  This "
"example uses read-write nullfs mounts."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:388
msgid "The file system layout is as follows:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:390
msgid "The jails are based under the [.filename]#/home# partition."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:391
msgid "Each jail will be mounted under the [.filename]#/home/j# directory."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:392
msgid ""
"The template for each jail and the read-only partition for all of the jails "
"is [.filename]#/home/j/mroot#."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:393
msgid ""
"A blank directory will be created for each jail under the [.filename]#/home/"
"j# directory."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:394
msgid ""
"Each jail will have a [.filename]#/s# directory that will be linked to the "
"read-write portion of the system."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:395
msgid ""
"Each jail will have its own read-write system that is based upon [."
"filename]#/home/j/skel#."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:396
msgid ""
"The read-write portion of each jail will be created in [.filename]#/home/js#."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:398
#, no-wrap
msgid "Creating the Template"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:401
msgid "This section describes the steps needed to create the master template."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:404
msgid ""
"It is recommended to first update the host FreeBSD system to the latest -"
"RELEASE branch using the instructions in crossref:cutting-"
"edge[makeworld,“Updating FreeBSD from Source”].  Additionally, this template "
"uses the package:sysutils/cpdup[] package or port and link:{handbook}mirrors/"
"#git[Git] will be used to download the FreeBSD Ports Collection."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:407
msgid ""
"First, create a directory structure for the read-only file system which will "
"contain the FreeBSD binaries for the jails. Then, change directory to the "
"FreeBSD source tree and install the read-only file system to the jail "
"template:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:413
#, no-wrap
msgid ""
"# mkdir /home/j /home/j/mroot\n"
"# cd /usr/src\n"
"# make installworld DESTDIR=/home/j/mroot\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:416
msgid ""
"Next, prepare a FreeBSD Ports Collection for the jails as well as a FreeBSD "
"source tree, which is required for mergemaster:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:423
#, no-wrap
msgid ""
"# cd /home/j/mroot\n"
"# mkdir usr/ports\n"
"# git clone -o freebsd https://git.FreeBSD.org/ports.git /home/j/mroot/usr/ports\n"
"# cpdup /usr/src /home/j/mroot/usr/src\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:426
msgid "Create a skeleton for the read-write portion of the system:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:435
#, no-wrap
msgid ""
"# mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles\n"
"# mv etc /home/j/skel\n"
"# mv usr/local /home/j/skel/usr-local\n"
"# mv tmp /home/j/skel\n"
"# mv var /home/j/skel\n"
"# mv root /home/j/skel\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:438
msgid ""
"Use mergemaster to install missing configuration files. Then, remove the "
"extra directories that mergemaster creates:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:444
#, no-wrap
msgid ""
"# mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i\n"
"# cd /home/j/skel\n"
"# rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:447
msgid ""
"Now, symlink the read-write file system to the read-only file system. Ensure "
"that the symlinks are created in the correct [.filename]#s/# locations as "
"the creation of directories in the wrong locations will cause the "
"installation to fail."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:460
#, no-wrap
msgid ""
"# cd /home/j/mroot\n"
"# mkdir s\n"
"# ln -s s/etc etc\n"
"# ln -s s/home home\n"
"# ln -s s/root root\n"
"# ln -s ../s/usr-local usr/local\n"
"# ln -s ../s/usr-X11R6 usr/X11R6\n"
"# ln -s ../../s/distfiles usr/ports/distfiles\n"
"# ln -s s/tmp tmp\n"
"# ln -s s/var var\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:463
msgid ""
"As a last step, create a generic [.filename]#/home/j/skel/etc/make.conf# "
"containing this line:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:467
#, no-wrap
msgid "WRKDIRPREFIX?=  /s/portbuild\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:472
msgid ""
"This makes it possible to compile FreeBSD ports inside each jail.  Remember "
"that the ports directory is part of the read-only system.  The custom path "
"for `WRKDIRPREFIX` allows builds to be done in the read-write portion of "
"every jail."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:474
#, no-wrap
msgid "Creating Jails"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:478
msgid ""
"The jail template can now be used to setup and configure the jails in [."
"filename]#/etc/rc.conf#.  This example demonstrates the creation of 3 jails: "
"`NS`, `MAIL` and `WWW`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:481
msgid ""
"Add the following lines to [.filename]#/etc/fstab#, so that the read-only "
"template for the jails and the read-write space will be available in the "
"respective jails:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:490
#, no-wrap
msgid ""
"/home/j/mroot   /home/j/ns     nullfs  ro  0   0\n"
"/home/j/mroot   /home/j/mail   nullfs  ro  0   0\n"
"/home/j/mroot   /home/j/www    nullfs  ro  0   0\n"
"/home/js/ns     /home/j/ns/s   nullfs  rw  0   0\n"
"/home/js/mail   /home/j/mail/s nullfs  rw  0   0\n"
"/home/js/www    /home/j/www/s  nullfs  rw  0   0\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:493
msgid ""
"To prevent fsck from checking nullfs mounts during boot and dump from "
"backing up the read-only nullfs mounts of the jails, the last two columns "
"are both set to `0`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:494
msgid "Configure the jails in [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:512
#, no-wrap
msgid ""
"jail_enable=\"YES\"\n"
"jail_set_hostname_allow=\"NO\"\n"
"jail_list=\"ns mail www\"\n"
"jail_ns_hostname=\"ns.example.org\"\n"
"jail_ns_ip=\"192.168.3.17\"\n"
"jail_ns_rootdir=\"/usr/home/j/ns\"\n"
"jail_ns_devfs_enable=\"YES\"\n"
"jail_mail_hostname=\"mail.example.org\"\n"
"jail_mail_ip=\"192.168.3.18\"\n"
"jail_mail_rootdir=\"/usr/home/j/mail\"\n"
"jail_mail_devfs_enable=\"YES\"\n"
"jail_www_hostname=\"www.example.org\"\n"
"jail_www_ip=\"62.123.43.14\"\n"
"jail_www_rootdir=\"/usr/home/j/www\"\n"
"jail_www_devfs_enable=\"YES\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:516
msgid ""
"The `jail__name__rootdir` variable is set to [.filename]#/usr/home# instead "
"of [.filename]#/home# because the physical path of [.filename]#/home# on a "
"default FreeBSD installation is [.filename]#/usr/home#.  The "
"`jail__name__rootdir` variable must _not_ be set to a path which includes a "
"symbolic link, otherwise the jails will refuse to start."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:517
msgid ""
"Create the required mount points for the read-only file system of each jail:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:521
#, no-wrap
msgid "# mkdir /home/j/ns /home/j/mail /home/j/www\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:524
msgid ""
"Install the read-write template into each jail using package:sysutils/"
"cpdup[]:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:531
#, no-wrap
msgid ""
"# mkdir /home/js\n"
"# cpdup /home/j/skel /home/js/ns\n"
"# cpdup /home/j/skel /home/js/mail\n"
"# cpdup /home/j/skel /home/js/www\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:534
msgid ""
"In this phase, the jails are built and prepared to run. First, mount the "
"required file systems for each jail, and then start them:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:539
#: documentation/content/en/books/handbook/jails/_index.adoc:638
#, no-wrap
msgid ""
"# mount -a\n"
"# service jail start\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:544
msgid ""
"The jails should be running now.  To check if they have started correctly, "
"use `jls`.  Its output should be similar to the following:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:552
#, no-wrap
msgid ""
"# jls\n"
"   JID  IP Address      Hostname                      Path\n"
"     3  192.168.3.17    ns.example.org                /home/j/ns\n"
"     2  192.168.3.18    mail.example.org              /home/j/mail\n"
"     1  62.123.43.14    www.example.org               /home/j/www\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:557
msgid ""
"At this point, it should be possible to log onto each jail, add new users, "
"or configure daemons.  The `JID` column indicates the jail identification "
"number of each running jail.  Use the following command to perform "
"administrative tasks in the jail whose JID is `3`:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:561
#, no-wrap
msgid "# jexec 3 tcsh\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:564
#, no-wrap
msgid "Upgrading"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:568
msgid ""
"The design of this setup provides an easy way to upgrade existing jails "
"while minimizing their downtime.  Also, it provides a way to roll back to "
"the older version should a problem occur."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:571
msgid ""
"The first step is to upgrade the host system. Then, create a new temporary "
"read-only template in [.filename]#/home/j/mroot2#."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:580
#, no-wrap
msgid ""
"# mkdir /home/j/mroot2\n"
"# cd /usr/src\n"
"# make installworld DESTDIR=/home/j/mroot2\n"
"# cd /home/j/mroot2\n"
"# cpdup /usr/src usr/src\n"
"# mkdir s\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:583
msgid ""
"The `installworld` creates a few unnecessary directories, which should be "
"removed:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:588
#, no-wrap
msgid ""
"# chflags -R 0 var\n"
"# rm -R etc var root usr/local tmp\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:591
msgid "Recreate the read-write symlinks for the master file system:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:601
#, no-wrap
msgid ""
"# ln -s s/etc etc\n"
"# ln -s s/root root\n"
"# ln -s s/home home\n"
"# ln -s ../s/usr-local usr/local\n"
"# ln -s ../s/usr-X11R6 usr/X11R6\n"
"# ln -s s/tmp tmp\n"
"# ln -s s/var var\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:604
msgid "Next, stop the jails:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:608
#, no-wrap
msgid "# service jail stop\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:611
msgid ""
"Unmount the original file systems as the read-write systems are attached to "
"the read-only system ([.filename]#/s#):"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:620
#, no-wrap
msgid ""
"# umount /home/j/ns/s\n"
"# umount /home/j/ns\n"
"# umount /home/j/mail/s\n"
"# umount /home/j/mail\n"
"# umount /home/j/www/s\n"
"# umount /home/j/www\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:623
msgid ""
"Move the old read-only file system and replace it with the new one. This "
"will serve as a backup and archive of the old read-only file system should "
"something go wrong. The naming convention used here corresponds to when a "
"new read-only file system has been created. Move the original FreeBSD Ports "
"Collection over to the new file system to save some space and inodes:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:630
#, no-wrap
msgid ""
"# cd /home/j\n"
"# mv mroot mroot.20060601\n"
"# mv mroot2 mroot\n"
"# mv mroot.20060601/usr/ports mroot/usr\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:633
msgid ""
"At this point the new read-only template is ready, so the only remaining "
"task is to remount the file systems and start the jails:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:642
msgid ""
"Use `jls` to check if the jails started correctly.  Run `mergemaster` in "
"each jail to update the configuration files."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/jails/_index.adoc:644
#, no-wrap
msgid "Managing Jails with ezjail"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:652
msgid ""
"Creating and managing multiple jails can quickly become tedious and error-"
"prone.  Dirk Engling's ezjail automates and greatly simplifies many jail "
"tasks.  A _basejail_ is created as a template.  Additional jails use man:"
"mount_nullfs[8] to share many of the basejail directories without using "
"additional disk space.  Each additional jail takes only a few megabytes of "
"disk space before applications are installed.  Upgrading the copy of the "
"userland in the basejail automatically upgrades all of the other jails."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:654
msgid ""
"Additional benefits and features are described in detail on the ezjail web "
"site, https://erdgeist.org/arts/software/ezjail/[]."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:656
#, no-wrap
msgid "Installing ezjail"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:659
msgid ""
"Installing ezjail consists of adding a loopback interface for use in jails, "
"installing the port or package, and enabling the service."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:663
msgid ""
"To keep jail loopback traffic off the host's loopback network interface "
"`lo0`, a second loopback interface is created by adding an entry to [."
"filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:667
#: documentation/content/en/books/handbook/jails/_index.adoc:1084
#, no-wrap
msgid "cloned_interfaces=\"lo1\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:671
msgid ""
"The second loopback interface `lo1` will be created when the system starts.  "
"It can also be created manually without a restart:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:676
#: documentation/content/en/books/handbook/jails/_index.adoc:1092
#, no-wrap
msgid ""
"# service netif cloneup\n"
"Created clone interfaces: lo1.\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:679
msgid ""
"Jails can be allowed to use aliases of this secondary loopback interface "
"without interfering with the host."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:682
msgid ""
"Inside a jail, access to the loopback address `127.0.0.1` is redirected to "
"the first IP address assigned to the jail.  To make the jail loopback "
"correspond with the new `lo1` interface, that interface must be specified "
"first in the list of interfaces and IP addresses given when creating a new "
"jail."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:684
msgid "Give each jail a unique loopback address in the `127.0.0.0/8` netblock."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:685
msgid "Install package:sysutils/ezjail[]:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:690
#, no-wrap
msgid ""
"# cd /usr/ports/sysutils/ezjail\n"
"# make install clean\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:693
msgid "Enable ezjail by adding this line to [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:697
#, no-wrap
msgid "ezjail_enable=\"YES\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:700
msgid ""
"The service will automatically start on system boot. It can be started "
"immediately for the current session:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:704
#, no-wrap
msgid "# service ezjail start\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:707
#, no-wrap
msgid "Initial Setup"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:711
msgid ""
"With ezjail installed, the basejail directory structure can be created and "
"populated.  This step is only needed once on the jail host computer."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:716
msgid ""
"In both of these examples, `-p` causes the ports tree to be retrieved with "
"man:portsnap[8] into the basejail.  That single copy of the ports directory "
"will be shared by all the jails.  Using a separate copy of the ports "
"directory for jails isolates them from the host.  The ezjailFAQ explains in "
"more detail: http://erdgeist.org/arts/software/ezjail/#FAQ[]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:721
msgid "To Populate the Jail with FreeBSD-RELEASE"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:724
msgid ""
"For a basejail based on the FreeBSD RELEASE matching that of the host "
"computer, use `install`.  For example, on a host computer running FreeBSD 13-"
"STABLE, the latest RELEASE version of FreeBSD 13 will be installed in the "
"jail)"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:728
#, no-wrap
msgid "# ezjail-admin install -p\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:731
msgid "To Populate the Jail with `installworld`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:733
msgid ""
"The basejail can be installed from binaries created by `buildworld` on the "
"host with `ezjail-admin update`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:737
msgid ""
"In this example, FreeBSD 10-STABLE has been built from source.  The jail "
"directories are created.  Then `installworld` is executed, installing the "
"host's [.filename]#/usr/obj# into the basejail."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:741
#, no-wrap
msgid "# ezjail-admin update -i -p\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:745
msgid ""
"The host's [.filename]#/usr/src# is used by default.  A different source "
"directory on the host can be specified with `-s` and a path, or set with "
"`ezjail_sourcetree` in [.filename]#/usr/local/etc/ezjail.conf#."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:752
msgid ""
"The basejail's ports tree is shared by other jails.  However, downloaded "
"distfiles are stored in the jail that downloaded them.  By default, these "
"files are stored in [.filename]#/var/ports/distfiles# within each jail.  [."
"filename]#/var/ports# inside each jail is also used as a work directory when "
"building ports."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:760
msgid ""
"The FTP protocol is used by default to download packages for the "
"installation of the basejail.  Firewall or proxy configurations can prevent "
"or interfere with FTP transfers.  The HTTP protocol works differently and "
"avoids these problems.  It can be chosen by specifying a full URL for a "
"particular download mirror in [.filename]#/usr/local/etc/ezjail.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:764
#, no-wrap
msgid "ezjail_ftphost=http://ftp.FreeBSD.org\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:767
msgid "See the crossref:mirrors[mirrors,mirrors] section for a list of sites."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:770
#, no-wrap
msgid "Creating and Starting a New Jail"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:774
msgid ""
"New jails are created with `ezjail-admin create`.  In these examples, the "
"`lo1` loopback interface is used as described above."
msgstr ""

#. type: Block title
#: documentation/content/en/books/handbook/jails/_index.adoc:777
#, no-wrap
msgid "Procedure: Create and Start a New Jail"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:779
msgid ""
"Create the jail, specifying a name and the loopback and network interfaces "
"to use, along with their IP addresses. In this example, the jail is named "
"`dnsjail`."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:783
#, no-wrap
msgid "# ezjail-admin create dnsjail 'lo1|127.0.1.1,em0|192.168.1.50'\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:791
msgid ""
"Most network services run in jails without problems.  A few network "
"services, most notably man:ping[8], use _raw network sockets_.  In jails, "
"raw network sockets are disabled by default for security.  Services that "
"require them will not work."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:796
msgid ""
"Occasionally, a jail genuinely needs raw sockets.  For example, network "
"monitoring applications often use man:ping[8] to check the availability of "
"other computers.  When raw network sockets are actually needed in a jail, "
"they can be enabled by editing the ezjail configuration file for the "
"individual jail, [.filename]#/usr/local/etc/ezjail/jailname#.  Modify the "
"`parameters` entry:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:800
#, no-wrap
msgid "export jail_jailname_parameters=\"allow.raw_sockets=1\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:803
msgid ""
"Do not enable raw network sockets unless services in the jail actually "
"require them."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:806
msgid "Start the jail:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:810
#, no-wrap
msgid "# ezjail-admin start dnsjail\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:813
msgid "Use a console on the jail:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:817
#, no-wrap
msgid "# ezjail-admin console dnsjail\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:821
msgid ""
"The jail is operating and additional configuration can be completed.  "
"Typical settings added at this point include:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:824
msgid "Set the `root` Password"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:826
msgid "Connect to the jail and set the `root` user's password:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:834
#, no-wrap
msgid ""
"# ezjail-admin console dnsjail\n"
"# passwd\n"
"Changing local password for root\n"
"New Password:\n"
"Retype New Password:\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:837
msgid "Time Zone Configuration"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:841
msgid ""
"The jail's time zone can be set with man:tzsetup[8].  To avoid spurious "
"error messages, the man:adjkerntz[8] entry in [.filename]#/etc/crontab# can "
"be commented or removed.  This job attempts to update the computer's "
"hardware clock with time zone changes, but jails are not allowed to access "
"that hardware."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:842
msgid "DNS Servers"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:844
msgid ""
"Enter domain name server lines in [.filename]#/etc/resolv.conf# so DNS works "
"in the jail."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:845
msgid "Edit [.filename]#/etc/hosts#"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:847
msgid ""
"Change the address and add the jail name to the `localhost` entries in [."
"filename]#/etc/hosts#."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:848
msgid "Configure [.filename]#/etc/rc.conf#"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:853
msgid ""
"Enter configuration settings in [.filename]#/etc/rc.conf#.  This is much "
"like configuring a full computer.  The host name and IP address are not set "
"here.  Those values are already provided by the jail configuration."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:855
msgid ""
"With the jail configured, the applications for which the jail was created "
"can be installed."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:860
msgid ""
"Some ports must be built with special options to be used in a jail.  For "
"example, both of the network monitoring plugin packages package:net-mgmt/"
"nagios-plugins[] and package:net-mgmt/monitoring-plugins[] have a `JAIL` "
"option which must be enabled for them to work correctly inside a jail."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:863
#, no-wrap
msgid "Updating Jails"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/jails/_index.adoc:866
#, no-wrap
msgid "Updating the Operating System"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:870
msgid ""
"Because the basejail's copy of the userland is shared by the other jails, "
"updating the basejail automatically updates all of the other jails.  Either "
"source or binary updates can be used."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:872
msgid ""
"To build the world from source on the host, then install it in the basejail, "
"use:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:876
#, no-wrap
msgid "# ezjail-admin update -b\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:879
msgid ""
"If the world has already been compiled on the host, install it in the "
"basejail with:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:883
#, no-wrap
msgid "# ezjail-admin update -i\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:888
msgid ""
"Binary updates use man:freebsd-update[8].  These updates have the same "
"limitations as if man:freebsd-update[8] were being run directly.  The most "
"important one is that only -RELEASE versions of FreeBSD are available with "
"this method."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:891
msgid ""
"Update the basejail to the latest patched release of the version of FreeBSD "
"on the host.  For example, updating from RELEASE-p1 to RELEASE-p2."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:895
#, no-wrap
msgid "# ezjail-admin update -u\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:901
msgid ""
"To upgrade the basejail to a new version, first upgrade the host system as "
"described in crossref:cutting-edge[freebsdupdate-upgrade,“Performing Major "
"and Minor Version Upgrades”].  Once the host has been upgraded and rebooted, "
"the basejail can then be upgraded.  man:freebsd-update[8] has no way of "
"determining which version is currently installed in the basejail, so the "
"original version must be specified.  Use man:file[1] to determine the "
"original version in the basejail:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:906
#, no-wrap
msgid ""
"# file /usr/jails/basejail/bin/sh\n"
"/usr/jails/basejail/bin/sh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 13.0, FreeBSD-style, stripped\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:909
msgid ""
"Now use this information to perform the upgrade from `13.0-RELEASE` to the "
"current version of the host system:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:913
#, no-wrap
msgid "# ezjail-admin update -U -s 13.0-RELEASE\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:916
msgid ""
"After updating the basejail, man:mergemaster[8] must be run to update each "
"jail's configuration files."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:919
msgid ""
"How to use man:mergemaster[8] depends on the purpose and trustworthiness of "
"a jail.  If a jail's services or users are not trusted, then man:"
"mergemaster[8] should only be run from within that jail:"
msgstr ""

#. type: Block title
#: documentation/content/en/books/handbook/jails/_index.adoc:921
#, no-wrap
msgid "man:mergemaster[8] on Untrusted Jail"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:926
msgid ""
"Delete the link from the jail's [.filename]#/usr/src# into the basejail and "
"create a new [.filename]#/usr/src# in the jail as a mountpoint.  Mount the "
"host computer's [.filename]#/usr/src# read-only on the jail's new [."
"filename]#/usr/src# mountpoint:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:932
#, no-wrap
msgid ""
"# rm /usr/jails/jailname/usr/src\n"
"# mkdir /usr/jails/jailname/usr/src\n"
"# mount -t nullfs -o ro /usr/src /usr/jails/jailname/usr/src\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:935
msgid "Get a console in the jail:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:939
#, no-wrap
msgid "# ezjail-admin console jailname\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:943
msgid "Inside the jail, run `mergemaster`.  Then exit the jail console:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:949
#, no-wrap
msgid ""
"# cd /usr/src\n"
"# mergemaster -U\n"
"# exit\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:952
msgid "Finally, unmount the jail's [.filename]#/usr/src#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:956
#, no-wrap
msgid "# umount /usr/jails/jailname/usr/src\n"
msgstr ""

#. type: Block title
#: documentation/content/en/books/handbook/jails/_index.adoc:961
#, no-wrap
msgid "man:mergemaster[8] on Trusted Jail"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:966
msgid ""
"If the users and services in a jail are trusted, man:mergemaster[8] can be "
"run from the host:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:970
#, no-wrap
msgid "# mergemaster -U -D /usr/jails/jailname\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:978
msgid ""
"After a major version update it is recommended by package:sysutils/ezjail[] "
"to make sure your `pkg` is of the correct version.  Therefore enter:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:982
#, no-wrap
msgid "# pkg-static upgrade -f pkg\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:985
msgid "to upgrade or downgrade to the appropriate version."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/jails/_index.adoc:988
#, no-wrap
msgid "Updating Ports"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:992
msgid ""
"The ports tree in the basejail is shared by the other jails.  Updating that "
"copy of the ports tree gives the other jails the updated version also."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:994
msgid "The basejail ports tree is updated with man:portsnap[8]:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:998
#, no-wrap
msgid "# ezjail-admin update -P\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:1001
#, no-wrap
msgid "Controlling Jails"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/jails/_index.adoc:1004
#, no-wrap
msgid "Stopping and Starting Jails"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1008
msgid ""
"ezjail automatically starts jails when the computer is started.  Jails can "
"be manually stopped and restarted with `stop` and `start`:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1013
#, no-wrap
msgid ""
"# ezjail-admin stop sambajail\n"
"Stopping jails: sambajail.\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1017
msgid ""
"By default, jails are started automatically when the host computer starts.  "
"Autostarting can be disabled with `config`:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1021
#, no-wrap
msgid "# ezjail-admin config -r norun seldomjail\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1025
msgid ""
"This takes effect the next time the host computer is started.  A jail that "
"is already running will not be stopped."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1027
msgid "Enabling autostart is very similar:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1031
#, no-wrap
msgid "# ezjail-admin config -r run oftenjail\n"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/jails/_index.adoc:1034
#, no-wrap
msgid "Archiving and Restoring Jails"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1040
msgid ""
"Use `archive` to create a [.filename]#.tar.gz# archive of a jail.  The file "
"name is composed from the name of the jail and the current date.  Archive "
"files are written to the archive directory, [.filename]#/usr/jails/"
"ezjail_archives#.  A different archive directory can be chosen by setting "
"`ezjail_archivedir` in the configuration file."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1043
msgid ""
"The archive file can be copied elsewhere as a backup, or an existing jail "
"can be restored from it with `restore`.  A new jail can be created from the "
"archive, providing a convenient way to clone existing jails."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1045
msgid "Stop and archive a jail named `wwwserver`:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1053
#, no-wrap
msgid ""
"# ezjail-admin stop wwwserver\n"
"Stopping jails: wwwserver.\n"
"# ezjail-admin archive wwwserver\n"
"# ls /usr/jails/ezjail-archives/\n"
"wwwserver-201407271153.13.tar.gz\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1057
msgid ""
"Create a new jail named `wwwserver-clone` from the archive created in the "
"previous step.  Use the [.filename]#em1# interface and assign a new IP "
"address to avoid conflict with the original:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1061
#, no-wrap
msgid "# ezjail-admin create -a /usr/jails/ezjail_archives/wwwserver-201407271153.13.tar.gz wwwserver-clone 'lo1|127.0.3.1,em1|192.168.1.51'\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/jails/_index.adoc:1064
#, no-wrap
msgid "Full Example: BIND in a Jail"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1068
msgid ""
"Putting the BINDDNS server in a jail improves security by isolating it.  "
"This example creates a simple caching-only name server."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1070
msgid "The jail will be called `dns1`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1071
msgid ""
"The jail will use IP address `192.168.1.240` on the host's `re0` interface."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1072
msgid "The upstream ISP's DNS servers are at `10.0.0.62` and `10.0.0.61`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1073
msgid ""
"The basejail has already been created and a ports tree installed as shown in "
"<<jails-ezjail-initialsetup>>."
msgstr ""

#. type: Block title
#: documentation/content/en/books/handbook/jails/_index.adoc:1075
#, no-wrap
msgid "Running BIND in a Jail"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1080
msgid ""
"Create a cloned loopback interface by adding a line to [.filename]#/etc/rc."
"conf#:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1087
msgid "Immediately create the new loopback interface:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1095
msgid "Create the jail:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1099
#, no-wrap
msgid "# ezjail-admin create dns1 'lo1|127.0.2.1,re0|192.168.1.240'\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1102
msgid ""
"Start the jail, connect to a console running on it, and perform some basic "
"configuration:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1114
#, no-wrap
msgid ""
"# ezjail-admin start dns1\n"
"# ezjail-admin console dns1\n"
"# passwd\n"
"Changing local password for root\n"
"New Password:\n"
"Retype New Password:\n"
"# tzsetup\n"
"# sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab\n"
"# sed -i .bak -e 's/127.0.0.1/127.0.2.1/g; s/localhost.my.domain/dns1.my.domain dns1/' /etc/hosts\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1117
msgid ""
"Temporarily set the upstream DNS servers in [.filename]#/etc/resolv.conf# so "
"ports can be downloaded:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1122
#, no-wrap
msgid ""
"nameserver 10.0.0.62\n"
"nameserver 10.0.0.61\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1125
msgid "Still using the jail console, install package:dns/bind99[]."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1129
#, no-wrap
msgid "# make -C /usr/ports/dns/bind99 install clean\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1132
msgid ""
"Configure the name server by editing [.filename]#/usr/local/etc/namedb/named."
"conf#."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1135
msgid ""
"Create an Access Control List (ACL) of addresses and networks that are "
"permitted to send DNS queries to this name server.  This section is added "
"just before the `options` section already in the file:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1140
#, no-wrap
msgid ""
"...\n"
"// or cause huge amounts of useless Internet traffic.\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1146
#, no-wrap
msgid ""
"acl \"trusted\" {\n"
"\t192.168.1.0/24;\n"
"\tlocalhost;\n"
"\tlocalnets;\n"
"};\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1149
#, no-wrap
msgid ""
"options {\n"
"...\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1152
msgid ""
"Use the jail IP address in the `listen-on` setting to accept DNS queries "
"from other computers on the network:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1156
#, no-wrap
msgid "\tlisten-on\t{ 192.168.1.240; };\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1160
msgid ""
"A simple caching-only DNS name server is created by changing the "
"`forwarders` section.  The original file contains:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1168
#, no-wrap
msgid ""
"/*\n"
"\tforwarders {\n"
"\t\t127.0.0.1;\n"
"\t};\n"
"*/\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1173
msgid ""
"Uncomment the section by removing the `/\\*` and `*/` lines.  Enter the IP "
"addresses of the upstream DNS servers.  Immediately after the `forwarders` "
"section, add references to the `trusted` ACL defined earlier:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1180
#, no-wrap
msgid ""
"\tforwarders {\n"
"\t\t10.0.0.62;\n"
"\t\t10.0.0.61;\n"
"\t};\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1184
#, no-wrap
msgid ""
"\tallow-query       { any; };\n"
"\tallow-recursion   { trusted; };\n"
"\tallow-query-cache { trusted; };\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1187
msgid "Enable the service in [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1191
#, no-wrap
msgid "named_enable=\"YES\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1194
msgid "Start and test the name server:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1201
#, no-wrap
msgid ""
"# service named start\n"
"wrote key file \"/usr/local/etc/namedb/rndc.key\"\n"
"Starting named.\n"
"# /usr/local/bin/dig @192.168.1.240 freebsd.org\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1204
msgid "A response that includes"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1208
#, no-wrap
msgid ";; Got answer;\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1212
msgid ""
"shows that the new DNS server is working.  A long delay followed by a "
"response including"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1216
#, no-wrap
msgid ";; connection timed out; no servers could be reached\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1220
msgid ""
"shows a problem.  Check the configuration settings and make sure any local "
"firewalls allow the new DNS access to the upstream DNS servers."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1223
msgid ""
"The new DNS server can use itself for local name resolution, just like other "
"local computers.  Set the address of the DNS server in the client computer's "
"[.filename]#/etc/resolv.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/jails/_index.adoc:1227
#, no-wrap
msgid "nameserver 192.168.1.240\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/jails/_index.adoc:1230
msgid ""
"A local DHCP server can be configured to provide this address for a local "
"DNS server, providing automatic configuration on DHCP clients."
msgstr ""
